< BACK TO NEWS
importantSYS.SOURCE: The Hacker News2026-07-11T23:29:26+05:30

Compromised jscrambler 8.14.0 npm Package Executes Rust Infostealer During Installation

#npm compromise#Rust malware#infostealer#supply chain attack#software security

A malicious version of the jscrambler npm package (8.14.0) was discovered to execute a Rust-based infostealer during installation, compromising developer systems. The infostealer steals sensitive data including cloud credentials, cryptocurrency wallets, and AI tool configurations, with payloads targeting Windows, macOS, and Linux.

The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux.

Socket flagged the release six minutes after it was published. If you or one of your

Read original article

*** END OF TRANSMISSION ***